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1.  INTRODUCTION 

Many  of  the  applications  vital  to  the  Objective 
Force  will  rely  on  multicast  and  other  forms  of  group 
communication  using  the  wireless  battlefield  networks 
of  Future  Combat  Systems.  Achieving  secure  and  sur- 
vivable  communications  for  these  applications  requires 
group  key  management  techniques  that  meet  the  unique 
challenges  of  battlefield  networks.  These  challenges  in¬ 
clude  minimizing  re-keying  delay  while  maximizing  re¬ 
keying  reliability,  minimizing  energy  consumption,  etc. 
The  techniques  must  also  provide  scalability,  and  min¬ 
imize  communication  while  conforming  to  key  storage 
and  processing  constraints. 

Achieving  acceptable  performance  in  tactical  net¬ 
works  is  impeded  by  the  fact  that  members  of  a  group 
will  typically  be  in  motion,  using  a  network  that  is 
changing  and  operating  in  a  dynamic  environment.  Such 
an  environment  favors  keying  techniques  that  are  flex¬ 
ible;  however,  the  communications  used  by  traditional, 
efficient,  hierarchical  group  keying  schemes,  such  as  Log¬ 
ical  Key  Hierarchy  (LKH)  (Wallner  et  al. ,  1998;  Wong 
et  al.,  1998),  One  Way  Function  Tree  (OFT)  (Sherman 
and  McGrew,  2003),  One  Way  Function  Chain  (OFC) 
(Canetti  et  al.,  1999),  and  related  schemes  (Rafaeli  et 
al.,  2001;  Zhu  et  al.,  2003,  Loukas  and  Poovendran, 
2004)  to  perform  re-keying  operations  are  rather  rigid. 
In  order  to  evict  a  group  member,  the  group  key  man¬ 
ager  must  establish  a  new  group  key  by  sending  new 
cryptographic  secrets  to  certain  subgroups  correspond¬ 
ing  to  sub-trees  of  the  “key  trees”  used  by  those  schemes. 
When  the  manager  has  only  expensive,  unreliable,  or 
slow  communications  with  some  of  these  subgroups,  the 
manager  will  want  the  flexibility  to  limit  communica¬ 
tions  with  those  subgroups.  LKH  provides  no  such  flex- 
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ibility,  while  OFT  and  OFC  provide  limited  flexibility. 

We  have  developed  a  new  hierarchical  keying  tech¬ 
nique,  OFC-X.  OFC-X  has  lower  communication  costs 
than  LKH,  OFT,  and  OFC  since  it  distributes  fewer 
secrets;  moreover,  OFC-X  provides  the  group  manager 
with  greater  flexibility  to  lower  secret  distribution  costs, 
increase  secret  distribution  reliability,  etc.,  than  previ¬ 
ous  schemes. 

2.  THE  OFC-X  TECHNIQUE 

We  provide  a  brief  summary  of  OFC-X.  OFC-X  con¬ 
structs  and  maintains  a  hierarchy  of  keys.  The  group 
manager  and  each  group  member  generate  a  shared  se¬ 
cret  using  a  practical  non-interactive  identity-based  key 
agreement  scheme  (Sakai  et  al.,  2000;  Dupont  and  En- 
gre,  2003).  The  manager  and  member  generate  a  series 
of  leaf  node  secrets  for  use  with  OFC-X,  using  a  spe¬ 
cial  key  derivation  function  plus  their  shared  secret.  To 
establish  these  shared  secrets  the  manager  distributes 
“key  material”  to  the  group  members  in  LKH,  OFT, 
and  OFC. 

In  OFC-X  each  node  v  of  a  key  tree  has  a  node 
secret  xv  and  a  node  key  kv .  The  group  key  is  the  root 
node  secret.  To  compute  node  keys  and  interior  node 
secrets  OFC-X  uses  three  special  one-way  functions:  1) 
e  is  used  to  compute  a  new  instance  of  a  node  secret  x'v 
from  the  current  secret  xv\  2)  /  is  used  to  compute  a 
parent  node  secret  from  current  instance  of  the  left  child 
node  secret  or  the  right  child  secret;  and  3)  g  is  used 
to  compute  node  keys  from  node  secrets  kv  =  g(xv). 
E(k  :  to)  denotes  the  encryption  of  message  to  under 
key  k. 

The  node  secrets  are  used  to  derive  group  keys  in 
a  bottom  up  fashion.  Let  v  be  an  interior  node  of  an 
OFC-X  key  tree  and  let  L  and  R  be,  respectively,  the 
left  and  right  child  nodes  of  v.  During  a  re- key  opera¬ 
tion,  one  of  four  possible  conditions  will  apply  to  node 
v:  1)  neither  subtree  of  v  has  changed  and  no  action  is 
taken  for  this  node;  2)  the  left  subtree  of  v  has  changed, 
and  the  manager  computes  a  new  node  secret  for  v  by 
using  xv  =  /(xl,)  and  sending  a  node  secret  distribution 
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message  containing  E(kf>  :  xv)  to  the  members  in  right 
subtree,  or  by  using  xv  =  f(x'R  =  e(x^))1  and  sending 
E(kL  :  xv )  to  the  left  subtree;  3)  the  right  subtree  of 
v  has  changed,  and  the  operations  performed  are  the 
mirror  image  of  condition  2;  and  4)  both  subtrees  have 
changed  and  the  manager  computes  either  xv  =  J(xl) 
or  xv  =  f{xp)  and  sends  the  encrypted  result  to  the 
members  of  the  appropriate  subtree. 

3.  COMPARISON 

Since  OFC-X  uses  non-interactive  identity  based 
key  agreement  and  key  derivation  to  establish  leaf  node 
secrets  for  the  key  tree,  OFC-X  distributes  one  less  se¬ 
cret  than  do  OFT  and  OFC  when  a  member  is  added 
or  evicted.2  OFC-X  provides  greater  node  secret  distri¬ 
bution  flexibility  than  the  other  schemes.  Whenever  the 
secret  of  an  interior  key  tree  node  changes  in  LKH,  a  new 
secret  must  be  sent  to  both  subtrees  of  the  node.  The 
group  key  manager  has  no  flexibility.  When  an  interior 
node  secret  changes  in  OFT  and  OFC,  due  to  member¬ 
ship  changes  in  either  its  left  or  right  subtree,  the  group 
manager  must  send  a  new  secret  to  the  opposite  sub¬ 
tree.  The  manager’s  flexibility  is  limited  to  what  order 
changes  are  made  and  where  additions  are  made. 

The  greater  flexibility  provided  by  OFC-X  results  in 
better  performance  -  e.g.,  lower  re- key  energy  consump¬ 
tion.  For  a  single  member  eviction,  the  energy  cost  of 
LKH  is  the  sum  of  the  cost  of  updating  both  sub-trees 
for  each  interior  node  along  a  path  through  the  key  tree 
plus  the  cost  of  updating  a  leaf  node.  On  average  the 
typical  cost  of  an  interior  node  update  at  a  certain  level 
of  the  tree  is  about  twice  the  average  cost  of  updating 
a  subtree  at  that  level.  For  OFT  and  OFC,  the  energy 
cost  is  the  sum  of  updating  one  of  the  sub-trees  for  each 
interior  node  along  a  path  plus  the  cost  of  updating  a 
leaf  node.  On  average  the  typical  cost  of  an  interior  node 
update  at  a  certain  level  of  the  tree  is  the  average  cost  of 
updating  a  sub-tree  at  that  level.  For  OFC-X  the  cost  is 
the  sum  of  the  minimum  of  the  cost  of  updating  either 
of  the  node’s  sub-trees,  for  each  interior  node  along  a 
path.  On  average  the  typical  cost  of  an  interior  node 
update  at  a  certain  level  is  the  average  minimum  of  the 
cost  of  updating  either  of  its  sub-trees. 

For  energy  consumption  minimization,  OFC-X  of¬ 
fers  the  greatest  benefits  compared  to  the  other  schemes 
when  communication  with  a  subgroup  is  very  expensive, 
and  the  subgroup  is  localized  to  a  portion  of  the  key  tree. 
Our  analysis  has  shown  that  OFC-X  offers  the  greatest 
benefits  when  the  metric  of  interest  is  especially  sensi¬ 
tive  to  localized  network  problems.3 

1For  future  re-key  operations,  x  n  =  x'R. 

2LKH  distributes  twice  as  many  secrets  as  do  the  other 
schemes. 

3E.g.,  the  delay  in  re-keying  the  entire  group,  which  is  de- 


4.  CONCLUSION 

We  have  presented  some  important  aspects  of  a  new 
hierarchical  key  management  scheme  that  is  particularly 
well  suited  for  mobile  Army  battlefield  networks.  The 
OFC-X  scheme  provides  enhanced  perfromance  and  re¬ 
liability  by  enabling  a  group  key  manager  to  decide  on 
the  fly  which  subtree  of  a  node,  with  a  changing  mem¬ 
bership,  should  receive  a  new  node  secret.  By  exerting 
such  control  over  which  subtrees  receive  new  node  se¬ 
crets  (which  subsets  of  the  members  of  the  group  need 
to  receive  new  secrets),  the  group  manager  is  able  to 
adapt  to  changing  environments,  network  topology,  and 
adversary  actions. 
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